b'TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION\n\n\n\n\n                   Disaster Recovery Issues Have Not Been\n                      Effectively Resolved, but Progress\n                                Is Being Made\n\n\n\n                                        February 29, 2008\n\n                              Reference Number: 2008-20-061\n\n\n\n\n This report has cleared the Treasury Inspector General for Tax Administration disclosure review process\n  and information determined to be restricted from public release has been redacted from this document.\n\n\n\n Phone Number | 202-622-6500\n Email Address | inquiries@tigta.treas.gov\n Web Site      | http://www.tigta.gov\n\x0c                                                 DEPARTMENT OF THE TREASURY\n                                                        WASHINGTON, D.C. 20220\n\n\n\n\nTREASURY INSPECTOR GENERAL\n  FOR TAX ADMINISTRATION\n\n\n\n\n                                                February 29, 2008\n\n\n MEMORANDUM FOR CHIEF INFORMATION OFFICER\n\n\n FROM:                  (for) Michael R. Phillips\n                              Deputy Inspector General for Audit\n\n SUBJECT:                      Final Audit Report \xe2\x80\x93 Disaster Recovery Issues Have Not Been\n                               Effectively Resolved, but Progress Is Being Made (Audit # 200720005)\n\n This report presents the results of our review to determine the effectiveness of the corrective\n actions taken to resolve the previously reported disaster recovery material weaknesses.1 This\n review was part of the Treasury Inspector General for Tax Administration Fiscal Year 2007\n Annual Audit Plan coverage.\n\n Impact on the Taxpayer\n The Internal Revenue Service (IRS) declared the Disaster Recovery Program2 a material\n weakness in March 2005 and is taking several actions to improve the Program. However,\n Disaster Recovery Program weaknesses have not been effectively resolved. As a result, the IRS\n cannot ensure minimal disruption to tax administration activities, which include the collection of\n approximately $2.7 trillion in revenue for the Federal Government and processing of more than\n 228 million tax returns.\n\n Synopsis\n Treasury Directive 85-01, Information Technology Security Program, dated\n February 13, 2003, states the Bureau Chief Information Officers shall designate a point of\n contact to coordinate all policy issues related to information systems security. The Federal\n\n\n 1\n  See Appendix V for a Glossary of Terms.\n 2\n  The Disaster Recovery Program serves to facilitate cross-organizational buy-in, participation, concurrence, and\n communication of all IRS disaster recovery activities.\n\x0c                   Disaster Recovery Issues Have Not Been Effectively Resolved,\n                                   but Progress Is Being Made\n\n\n\nInformation Security Management Act (FISMA)3 requires Federal Government agencies to\nidentify and provide information security protections commensurate with the risk and magnitude\nof the harm resulting from the disruption or destruction of information. Disaster recovery is an\norganization\xe2\x80\x99s ability to respond to an interruption in services by implementing a plan to restore\ncritical business functions.\nIn March 2005, we reported4 significant Disaster Recovery Program weaknesses continued to be\nunresolved and determined that 27 of 44 corrective actions for prior audit recommendations in\nthe Program had not been completed. Therefore, we recommended, and the IRS agreed, the\nDisaster Recovery Program should be reported as a material weakness.\nSince declaring the Program as a material weakness in March 2005, the IRS has effectively\nimplemented some corrective actions to address prior audit recommendations and has taken other\nconstructive measures to help ensure future progress toward ultimately resolving the material\nweakness. For example, on October 1, 2006, the IRS incorporated disaster recovery into the\noverall Computer Security Material Weakness Plan,5 identifying five corrective action\ncomponents. In December 2006, the Chief Information\nOfficer listed the completion of corrective actions to\ndemonstrate progress in resolving the Computer Security           Several actions have been\n                                                                   taken to address Disaster\nMaterial Weakness as one of the Chief Information Officer              Recovery Program\nCommitments for Calendar Year 2007. Finally, in                     weaknesses. However,\nOctober 2007, the IRS formed a new Disaster Recovery             corrective actions to address\nProgram Office within the Modernization and Information          prior audit recommendations\nTechnology Services organization\xe2\x80\x99s Cybersecurity                     and material weakness\n                                                                  components have not been\norganization to provide oversight, accountability, and              effectively implemented.\nresponsibility for developing and maintaining the IRS\nEnterprise Disaster Recovery Strategy.\nWe also determined that some corrective actions taken by the IRS in addressing prior audit\nrecommendations have not been effectively implemented. For example, copies of the disaster\nrecovery plans were not stored at the recovery sites\xe2\x80\x99 offsite storage facilities or centralized in\ndesignated electronic file locations. In one disaster recovery exercise, participants used a\ncombination of the Disaster Recovery Exercise Plan (because a Disaster Recovery Plan was not\navailable) and individual reference material they had brought to the exercise to recover the\nsystem(s). Evidence supporting announced, unannounced, and annually planned tests of the\noffsite storage vendors\xe2\x80\x99 ability to timely deliver all backup files and documentation to the\n\n\n\n3\n  The FISMA is part of the E-Government Act of 2002, Pub. L. No. 107-347, Title III, 116 Stat. 2946 (2002).\n4\n  See report #12 in Appendix IV.\n5\n  Computer Security Material Weakness Plan, IRS-2A-01-01, as Material Weakness Area 1-6, Information\nTechnology Contingency Planning.\n                                                                                                              2\n\x0c                       Disaster Recovery Issues Have Not Been Effectively Resolved,\n                                       but Progress Is Being Made\n\n\n\ndisaster recovery site was not available. Finally, documentation was not provided to support the\ndisaster recovery training strategy.\nOur review of the disaster recovery-related Computer Security Material Weakness Plan\ncorrective actions determined the actions have not been effectively implemented. We identified\na major information technology system directly supporting 4 of the 25 critical processes6 and\ncited as having an Information Technology Contingency Plan. However, the system did not have\nan Information Technology Contingency Plan. The gap analysis (originally due\nOctober 1, 2005) of the current Modernization and Information Technology Services\norganization business resumption capabilities against business unit requirements, including both\nRecovery Point Objectives and Recovery Time Objectives, for all major systems has not been\ncompleted. Items notated as critical in disaster recovery exercise summary reports were not\nalways addressed in subsequent year testing. Disaster recovery plan documentation is not\nstandardized, complete, or accurate. Finally, the IRS is not currently collecting and reporting\nmetrics to assess progress and track improvements within the Disaster Recovery Program.\n\nRecommendations\nThe Chief Information Officer should ensure all Disaster Recovery Plan documentation is\nstandardized, complete, accurate, readily accessible in the event of disaster, detailed enough to\nbe used verbatim to react to a worst-case scenario, and reviewed quarterly; ensure effective\ncompletion of tasks as required in disaster recovery guidance incorporated in the Internal\nRevenue Manual from the Office of Management and Budget, National Institute of Standards\nand Technology, and the FISMA; ensure offsite storage vendors\xe2\x80\x99 ability to timely deliver all\ndisaster recovery backup files and documentation to the disaster recovery site using announced,\nunannounced, and annually planned tests; ensure appropriate disaster recovery site personnel are\nidentified and provided with annual training to ensure they have the ability to implement the\nDisaster Recovery Plan; ensure disaster recovery exercise lessons learned or action items deemed\nas critical are included in subsequent exercises; and ensure a permanent file is established for\nkeeping documentation supporting closure of prior recommended corrective actions and\ncompletion of material weakness corrective action plan components related to the Information\nTechnology Contingency Planning material weakness.\n\nResponse\nIRS management agreed with our recommendations. Planned corrective actions include ensuring\nall Disaster Recovery Plan documentation is standardized, accurate, comprehensive,\nappropriately detailed, up-to-date, and written in a clear, cohesive format; ensuring the\n\n\n6\n    Eighteen critical business processes and seven critical administrative or infrastructure processes.\n                                                                                                          3\n\x0c                 Disaster Recovery Issues Have Not Been Effectively Resolved,\n                                 but Progress Is Being Made\n\n\n\naccessibility and availability of all Plan documentation; developing a comprehensive Disaster\nRecovery Internal Revenue Manual and ensuring all program-related documentation adheres to\nand complies with all relevant Federal Government guidance; ensuring effective completion of\ntasks as required in the Internal Revenue Manual; implementing a repeatable process that\nincludes an Information Technology Contingency Plan/Disaster Recovery Test Guide and\nChecklist; developing a comprehensive disaster recovery specific training curriculum and\ntraining all individuals who have disaster recovery responsibilities; developing a database as\ntraining is completed to provide an assessment report to management for use in evaluating\ntraining progress, qualified personnel, and skill-set risks; and developing a repeatable process to\nensure subsequent exercises include lessons learned or action items deemed as critical.\nManagement also established the Modernization and Information Technology Services\norganization\xe2\x80\x99s Information Technology Disaster Recovery organization. The responsibilities of\nthis program office include validating all closure activities for corrective actions and collecting\nand maintaining all documentation that supports closure and/or mitigation of all corrective\nactions, material weaknesses, and any outstanding year-to-year weaknesses remediation\nrecommendations. Management\xe2\x80\x99s complete response to the draft report is included as\nAppendix VI.\nCopies of this report are also being sent to the IRS managers affected by the report\nrecommendations. Please contact me at (202) 622-6510 if you have questions or\nMargaret E. Begg, Assistant Inspector General for Audit (Information Systems Programs), at\n(202) 622-8510.\n\n\n\n\n                                                                                                      4\n\x0c                      Disaster Recovery Issues Have Not Been Effectively Resolved,\n                                      but Progress Is Being Made\n\n\n\n\n                                              Table of Contents\n\nBackground ..........................................................................................................Page 1\n\nResults of Review ...............................................................................................Page 4\n          Several Actions Have Been Taken to Address the Disaster Recovery\n          Program Weaknesses ....................................................................................Page 4\n          Additional Management Actions Are Needed to Effectively Address\n          Disaster Recovery Program Weaknesses......................................................Page 5\n                    Recommendation 1: .................................................................. Page 10\n\n                    Recommendations 2 through 4: ................................................ Page 11\n\n                    Recommendations 5 and 6: ....................................................... Page 12\n\n\nAppendices\n          Appendix I \xe2\x80\x93 Detailed Objective, Scope, and Methodology ........................Page 13\n          Appendix II \xe2\x80\x93 Major Contributors to This Report ........................................Page 15\n          Appendix III \xe2\x80\x93 Report Distribution List .......................................................Page 16\n          Appendix IV \xe2\x80\x93 Prior Audit Reports Addressing Disaster Recovery ............Page 17\n          Appendix V \xe2\x80\x93 Glossary of Terms .................................................................Page 18\n          Appendix VI \xe2\x80\x93 Management\xe2\x80\x99s Response to the Draft Report ......................Page 21\n\x0c        Disaster Recovery Issues Have Not Been Effectively Resolved,\n                        but Progress Is Being Made\n\n\n\n\n                       Abbreviations\n\nECC              Enterprise Computing Center\nFISMA            Federal Information Security Management Act\nIRS              Internal Revenue Service\n\x0c                   Disaster Recovery Issues Have Not Been Effectively Resolved,\n                                   but Progress Is Being Made\n\n\n\n\n                                           Background\n\nDisaster recovery is an organization\xe2\x80\x99s ability to respond to an interruption in services by\nimplementing a plan to restore critical business functions. In March 2005, we reported1\nsignificant Disaster Recovery Program2 weaknesses continued to be unresolved and determined\nthat 27 of 44 corrective actions for prior audit recommendations in the Program had not been\ncompleted. Therefore, we recommended and the Internal Revenue Service (IRS) agreed that the\nDisaster Recovery Program should be reported as a material weakness3 and should include the\nfollowing actions:\n    1. Obtain Modernization and Information Technology Services organization, Mission\n       Assurance and Security Services organization\n       (recently renamed to Cybersecurity and moved under        Disaster recovery is an\n       the Modernization and Information Technology              organization\xe2\x80\x99s ability to\n       Services organization), and business unit executive    respond to an interruption in\n       support for the establishment of Business Resumption    services by implementing a\n                4                                                 plan to restore critical\n       Strategy and Disaster Recovery Strategy effort due\n                                                               business functions. Based\n       dates and the monitoring and reporting of the progress    on reported significant\n       and status of the efforts.                              Disaster Recovery Program\n                                                                                 weaknesses, the IRS\n    2. Complete the Business Resumption Strategy and                          reported the Program as a\n       Disaster Recovery Strategy efforts and identify the                       material weakness.\n       Modernization and Information Technology Services\n       organization disaster recovery requirements (including\n       Modernization requirements).\n    3. Conduct a gap analysis to identify the difference between the Modernization and\n       Information Technology Services organization disaster recovery requirements and current\n       capabilities.\n    4. Coordinate with IRS, Department of the Treasury, and Office of Management and Budget\n       management to obtain the resources needed to correct the material weakness.\n\n\n\n1\n  See report #12 in Appendix IV.\n2\n  The Disaster Recovery Program serves to facilitate cross-organizational buy-in, participation, concurrence, and\ncommunication of all IRS disaster recovery activities.\n3\n  See Appendix V for a Glossary of Terms.\n4\n  The Chief, Agency-Wide Shared Services, is responsible for the overall IRS Business Resumption Strategy and the\nAssociate Chief Information Officer, Management, is responsible for the Modernization and Information\nTechnology Services organization\xe2\x80\x99s Business Resumption Strategy.\n                                                                                                         Page 1\n\x0c                   Disaster Recovery Issues Have Not Been Effectively Resolved,\n                                   but Progress Is Being Made\n\n\n\n In March 2005, the IRS declared the Disaster Recovery Program a material weakness. On\n October 1, 2006, the IRS incorporated disaster recovery into the overall Computer Security\n Material Weakness Plan, IRS-2A-01-01, as Material Weakness Area 1-6, Information\n Technology Contingency Planning. Figure 1 describes the five material weakness corrective\n action components.\n               Figure 1: Material Weakness Corrective Action Components\n Corrective Action Component                                       Description\n Information Technology                Maintain a prioritized list of critical information technology\n Contingency Plan prioritization       systems that support critical business processes and ensure\n                                       Information Technology Contingency Plans exist for these\n                                       systems.\n Establish recovery capability         Develop and maintain Information Technology Contingency\n                                       Plans associated with general support systems to include all\n                                       components that support critical applications, establish and\n                                       maintain data and processing backup-recovery capability, and\n                                       ensure maximum allowable outage times meet the recovery\n                                       time objectives of the applications being supported.\n Disaster Recovery Plan test and       Develop baseline expectations and requirements for Disaster\n exercise development                  Recovery Plan and Disaster Recovery Plan tests and\n                                       exercises. Identify roles and responsibilities for documenting\n                                       the Disaster Recovery Plan and Disaster Recovery Plans\n                                       testing requirements. Also, identify the frequency and type of\n                                       testing required and reporting requirements.\n Test and review adequacy of           Conduct both desktop and end-to-end disaster recovery tests\n plans                                 for critical applications. Perform annual system risk\n                                       assessments to promote and track Information Technology\n                                       Contingency Plan and Disaster Recovery Plan improvements.\n Material weakness area metrics        Establish and maintain collection and reporting of metrics to\n                                       assess progress and track improvements in all component\n                                       activity implementations over time.\nSource: The IRS Computer Security Material Weakness Plan, IRS-2A-01-01, dated October 1, 2006.\n\n This review was performed at the Modernization and Information Technology Services\n organization offices in New Carrollton, Maryland; Martinsburg, West Virginia;\n Memphis, Tennessee; and Atlanta, Georgia, during the period March through October 2007. We\n conducted this performance audit in accordance with generally accepted government auditing\n standards. Those standards require that we plan and perform the audit to obtain sufficient,\n\n                                                                                                 Page 2\n\x0c                Disaster Recovery Issues Have Not Been Effectively Resolved,\n                                but Progress Is Being Made\n\n\n\nappropriate evidence to provide a reasonable basis for our findings and conclusions based on our\naudit objective. We believe the evidence obtained provides a reasonable basis for our findings\nand conclusions based on our audit objective. This review was part of the Treasury Inspector\nGeneral for Tax Administration Fiscal Year 2007 Annual Audit Plan coverage under the major\nmanagement challenge of Security of the IRS. Detailed information on our audit objective,\nscope, and methodology is presented in Appendix I. Major contributors to the report are listed in\nAppendix II.\n\n\n\n\n                                                                                          Page 3\n\x0c                     Disaster Recovery Issues Have Not Been Effectively Resolved,\n                                     but Progress Is Being Made\n\n\n\n\n                                    Results of Review\n\nSeveral Actions Have Been Taken to Address the Disaster Recovery\nProgram Weaknesses\nTreasury Directive Number 85-01, Department of the Treasury Information Technology (IT)\nSecurity Program, dated February 13, 2003, states the Bureau Chief Information Officers shall\ndesignate a point of contact to coordinate all policy issues related to information systems security\n(including information technology security, operational security (threats and vulnerability\nassessments), emissions security, certificate management, electronic authentication, continuity\nplanning, and critical infrastructure protection. Office of Management and Budget\nCircular A-123, Management\xe2\x80\x99s Responsibility for Internal Control, dated December 21, 2004,\nrequires agencies to take timely and effective action to correct management control deficiencies\nand to complete implementation of agreed corrective actions within 1 year to the extent\npracticable.\nOur review of implemented corrective actions to address prior audit recommendations\ndetermined the IRS effectively implemented some of the corrective actions. For example:\n      1. In a March 2004 audit report,5 we recommended the Chief Information Officer\n         implement cost-effective solutions that would reduce the time needed to restore the\n         Master File to the 36 hours required for critical business processes by revising the Master\n         File backup procedures and Master File Disaster Recovery Plan to provide for storage of\n         the disaster recovery backup files and documentation at the Enterprise Computing\n         Center (ECC)-Memphis. The corrective action agreed to for this recommendation was\n         effectively implemented. We verified the ECC-Martinsburg is using a process for\n         shipping a copy of the Master File operating system files to the ECC-Memphis weekly.\n           We also recommended the Chief Information Officer ensure disaster recovery tests are\n           based on catastrophic scenarios and include tests integrated with the recoveries of\n           interdependent systems. The recommendation was addressed. The IRS added the\n           following systems to the Computing Center disaster recovery tests: the Automated\n           Collection System (a mainframe-based system) in October 2004; the Customer Accounts\n           Data Engine (a Tax Systems Modernization system) in September 2006; and the\n           Automated Underreporter system (a mid-range computer system) in July 2007.\n\n\n\n\n5\n    See report #6 in Appendix IV.\n                                                                                             Page 4\n\x0c                   Disaster Recovery Issues Have Not Been Effectively Resolved,\n                                   but Progress Is Being Made\n\n\n\n    2. In an April 2004 audit report,6 we recommended for the offices reviewed\n       (ECC-Martinsburg, ECC-Memphis, Atlanta Campus, and Atlanta Territory) that the\n       Chief Information Officer ensure each site perform at least one exercise of each Disaster\n       Recovery Plan element annually. The recommendation was addressed. We verified each\n       office is conducting annual disaster recovery testing.\nThe IRS also annually performs comprehensive disaster recovery exercises to test recovery of\nsystems and operations at its three Computing Center locations and is performing periodic stand-\nalone exercises for some critical systems. During three disaster recovery exercises we observed,\nthe disaster recovery exercise participants effectively used the exercise plans to monitor the plan\nexecution, held exercise status update meetings twice each day, worked together to resolve\nissues, and agreed to build lessons learned into future Disaster Recovery Exercise Plans.\nIn addition, in December 2006, the Chief Information Officer listed the completion of corrective\nactions to demonstrate progress in resolving the Computer Security Material Weakness as one of\nthe Chief Information Officer Commitments for Calendar Year 2007. The current Disaster\nRecovery Program Director was appointed in late Calendar Year 2005 and was responsible for\nboth the Disaster Recovery and the Computer Security Incident Response Center Programs until\nthe programs were separated in July 2007. In October 2007, the IRS formed a new Disaster\nRecovery Program Office within the Modernization and Information Technology Services\norganization\xe2\x80\x99s Cybersecurity organization to provide oversight, accountability, and responsibility\nfor developing and maintaining the IRS Enterprise Disaster Recovery Strategy. Additional staff\nand funding has been committed for disaster recovery through the new office.\n\nAdditional Management Actions Are Needed to Effectively Address\nDisaster Recovery Program Weaknesses\nHomeland Security Presidential Directive 7, Critical Infrastructure Identification, Prioritization,\nand Protection, dated December 17, 2003, and the Federal Information Security Management\nAct (FISMA)7 require Federal Government agencies to identify and provide information security\nprotections commensurate with the risk and magnitude of the harm resulting from the disruption\nor destruction of information. In addition, the FISMA requires management to identify and\nreport significant vulnerabilities and the associated Plans of Action and Milestones to address the\nvulnerabilities. The vulnerabilities will be included in the Federal Managers\xe2\x80\x99 Financial Integrity\nAct of 19828 material weaknesses reported annually to the Secretary of the Treasury, Congress,\nand the President. The Internal Revenue Manual further emphasizes the importance of\nidentifying and reporting material weakness control deficiencies that significantly impair the\nfulfillment of the IRS mission or that the Commissioner determines to be of sufficient\n\n6\n  See report #8 in Appendix IV.\n7\n  The FISMA is part of the E-Government Act of 2002, Pub. L. No. 107-347, Title III, 116 Stat. 2946 (2002).\n8\n  31 U.S.C. \xc2\xa7\xc2\xa7 1105, 1113, 3512 (2000).\n                                                                                                          Page 5\n\x0c                   Disaster Recovery Issues Have Not Been Effectively Resolved,\n                                   but Progress Is Being Made\n\n\n\nimportance to be reported outside of the IRS until corrected. The Government Accountability\nOffice Standards for Internal Control in the Federal Government9 provide that documentation\nshould be maintained to provide evidence of actions taken to address risks in a computerized\ninformation system environment and the documentation should be readily available for\nexamination.\nThe FISMA also requires each Federal Government agency to develop, document, and\nimplement an agencywide program to provide information security for the information and\ninformation systems that support the operations and assets of the agency, including those\nprovided or managed by another agency, contractor, or other source. An effective information\nsecurity program should include, in part, subordinate plans for providing adequate information\nsecurity for networks, facilities, information systems, or groups of information systems, as\nappropriate, and periodic testing and evaluation of the effectiveness of information security\npolicies, procedures, practices, and security controls to be performed with a frequency depending\non risk but no less than annually. The Internal Revenue Manual states contingency development,\ntesting, and maintenance shall be coordinated with other related plans including the Business\nContinuity Plan, Disaster Recovery Plan, Continuity of Operations Plan, Business Recovery\nPlan, and Incident Response Plan.\nNational Institute of Standards and Technology Contingency Planning Guide for Information\nTechnology Systems (Special Publication 800-34), dated June 2002, states that, to be successful,\nmanagement must develop or reexamine their information technology contingency planning\npolicies and plans with emphasis on maintenance, training, and exercising the contingency plan.\nIn addition, best practices outline performance indicators as a mechanism for measuring the\nsuccess of the disaster recovery process and plan. Performance indicators may include periodic\ntests, periodic reports, and review and analysis of the disaster recovery process.\n\nCorrective actions for prior audit recommendations have not been effectively\nimplemented\nOur review of 27 closed corrective actions (i.e., corrective actions reported as completed by the\nIRS in the Joint Audit Management Enterprise System) determined the IRS did not have\ndocumentation to show the actions were taken before closing all corrective actions and to show\npermanent improvements were made to the disaster recovery process. For example:\n      1. In an April 2003 audit report,10 we recommended the Chief Information Officer ensure\n         the ECC-Detroit and the ECC-Memphis store all required documents for all of their\n         consolidated mid-range computer systems at the offsite facility (either in hardcopy or in\n         an easily retrievable electronic copy). The IRS agreed to have the ECC-Detroit identify\n         the documentation available and ensure copies were stored offsite. The IRS also agreed\n\n9\n    GAO/AIMD-00-21.3.1, dated November 1999.\n10\n    See report #3 in Appendix IV.\n                                                                                             Page 6\n\x0c                      Disaster Recovery Issues Have Not Been Effectively Resolved,\n                                      but Progress Is Being Made\n\n\n\n           to conduct audits of mid-range systems for required certification documents as stated in\n           the Internal Revenue Manual and any other appropriate documentation that were to be\n           stored offsite. Finally, the IRS agreed to have its National Office provide complete\n           documentation to the ECC-Detroit. After modifying the original corrective action\n           completion due date from December 15, 2003, to April 15, 2004, to allow more time to\n           develop an electronic system to track the offsite documentation and Disaster Recovery\n           and Business Resumption Plans, the IRS showed the corrective action for this\n           recommendation was closed as completed on April 1, 2004. However, during our\n           observation of two disaster recovery tests, we determined the IRS did not have permanent\n           hardcopies of the Disaster Recovery Plans stored at the recovery sites\xe2\x80\x99 offsite storage\n           facilities or centralized in designated electronic file locations.\n       2. In an August 2004 audit report,11 we recommended the Chief Information Officer test and\n          evaluate the ECC-Detroit offsite storage vendor\xe2\x80\x99s ability to deliver in a timely manner the\n          mainframe computer disaster recovery backup files and documentation to the ECC-\n          Memphis and determine whether the ECC-Detroit backup procedures and Disaster\n          Recovery Plan should be revised to provide for backup files and documentation to be\n          stored at the ECC-Memphis. The IRS agreed to have the Enterprise Operations\n          organization validate that the ECC-Detroit offsite storage vendor can deliver in a timely\n          manner the mainframe computer disaster recovery backup files and documentation to the\n          ECC-Memphis. The IRS also agreed that, in addition to the ECC-Detroit\xe2\x80\x99s annual\n          planned disaster recovery exercise, it would annually conduct a random test of the offsite\n          vendor\xe2\x80\x99s ability to deliver backup files in a timely manner. This test would be\n          unannounced and, upon completion of the test, a determination would be made as to\n          whether the Plan should be revised to provide for backup files and documentation to be\n          stored at the ECC-Memphis. The IRS closed these corrective actions as completed as of\n          January 6, 2005. However, the IRS was unable to provide evidence supporting\n          announced, unannounced, and annually planned tests of the\n          offsite storage vendor\xe2\x80\x99s ability to deliver in a timely manner\n                                                                            The corrective actions\n          all backup files and documentation to the disaster recovery         taken by the IRS to\n          site.                                                               address prior audit\n                                                                           recommendations did\n       3. In the April 2003 audit report previously cited,12 we             not effectively resolve\n          recommended the Chief Information Officer develop a                the reported issues.\n          schedule to periodically train ECC-Detroit,\n          ECC-Martinsburg, and ECC-Memphis employees in their\n          disaster recovery roles and responsibilities. The IRS agreed to develop a disaster\n          recovery training strategy and draft training manuals on roles and responsibilities. The\n          corrective action was closed as completed on November 9, 2004. However, the IRS was\n\n11\n     See report #9 in Appendix IV.\n12\n     See report #3 in Appendix IV.\n                                                                                              Page 7\n\x0c                      Disaster Recovery Issues Have Not Been Effectively Resolved,\n                                      but Progress Is Being Made\n\n\n\n           not able to provide (1) a copy of the disaster recovery training strategy, (2) copies of the\n           training manuals regarding personnel roles and responsibilities, or (3) support for disaster\n           recovery training (e.g., training dates, types, and participants). As a result of ineffective\n           disaster recovery training, the IRS does not have personnel onsite at the recovery location\n           to fully perform disaster recovery duties. During disaster recovery exercises, we\n           observed employees who were responsible for restoring production systems performing\n           the recovery duties rather than the personnel who were assigned to the recovery location.\n       4. In a March 2004 audit report,13 we recommended the Chief Information Officer ensure\n          the Master File Disaster Recovery Plan is complete, detailed enough to be used verbatim\n          to react to a worst-case scenario, accurate, reviewed quarterly, and updated as needed.\n          The IRS agreed the Director, ECC-Martinsburg, will ensure, as resources permit, that\n          the Master File Disaster Recovery Plan will be revised to allow recovery by\n          non-ECC-Martinsburg technical personnel and that the Master File Disaster Recovery\n          Plan is complete, detailed enough, accurate, reviewed quarterly, and updated as needed.\n          The IRS closed the corrective action as completed on December 7, 2004. However, our\n          review of the Master File Disaster Recovery Plan determined reviews were not always\n          performed quarterly. In addition, while our observation of the Master File disaster\n          recovery test determined test participants were using the Master File Disaster Recovery\n          Plan, our observation of one other mainframe disaster recovery test determined that\n          recovery site personnel used a combination of the Disaster Recovery Exercise Plan\n          (because a Disaster Recovery Plan was not available) and individual reference materials\n          they had brought to the exercise to recover the system(s) during the disaster recovery\n          exercise.\n\nMaterial weakness corrective actions have not been effectively implemented\nWe reviewed the five open corrective action components documented by the IRS in its overall\nComputer Security Material Weakness Plan for improving the disaster recovery process. The\nresults of our corrective action component review follow.\nInformation Technology Contingency Plan prioritization \xe2\x80\x93 Completion due date:\nSeptember 30, 2008.\nThe IRS is in the process of replacing the Technical Contingency Planning Documents with\nInformation Technology Contingency Plans and has scheduled completion of this effort over a\n3-year period ending in Fiscal Year 2008. The new Information Technology Contingency Plans\nwill include Appendix H (i.e., Disaster Recovery Plan), which provides specific procedures for\nrecovering key application components.\n\n\n\n13\n     See report #6 in Appendix IV.\n                                                                                                 Page 8\n\x0c                       Disaster Recovery Issues Have Not Been Effectively Resolved,\n                                       but Progress Is Being Made\n\n\n\nWe judgmentally selected 8 of 30 major information technology systems identified as directly\nsupporting the 25 critical processes14 to determine whether the systems had Information\nTechnology Contingency Plans prepared and tested. We found 1 of 8 systems did not have an\nInformation Technology Contingency Plan prepared and tested, although the system was 1 of the\nsystems supporting 4 or more of the 25 critical processes. The IRS Certification Program\nOffice\xe2\x80\x99s schedule showed the system as having an Information Technology Contingency Plan.\nHowever, we determined the system still has a Technical Contingency Planning Document dated\nDecember 6, 2006.\nEstablish recovery capability \xe2\x80\x93 Completion due date as modified by management during our\nreview: September 30, 2010 (completion was originally due September 30, 2008).\nThe IRS committed, originally by October 1, 2005, to performing the gap analysis of the current\nModernization and Information Technology Services organization business resumption\ncapabilities against business unit requirements and to include both Recovery Point Objectives\nand Recovery Time Objectives for all major systems in the analysis. In February 2007, the IRS\nhired a contractor to assist in preparation of a business impact analysis due to be completed in\nJanuary 2008. The business impact analysis will include a gap analysis and confirm what\napplications there are and the expected Recovery Time Objectives and Recovery Point\nObjectives associated with the applications.\nDisaster Recovery Plan Test and Exercise Development \xe2\x80\x93\nCompletion due date as modified by management during our                                      Material weakness\n                                                                                           corrective actions have\nreview: December 31, 2008 (completion was originally due                                     not been completed,\nSeptember 30, 2008).                                                                           and the IRS has\n                                                                                                 extended the\nThe IRS is responsible for ensuring disaster recovery test and                              completion due dates.\nexercise activities include timely and efficient disaster recovery\nexercise results reporting. However, where lessons learned or\naction items from prior year tests were included and recommended as critical, the items were not\nalways addressed in subsequent year testing. For example, a Calendar Year 2006 disaster\nrecovery exercise identified the need to include in the Calendar Year 2007 exercise a test to\nensure modified computer programming could be implemented while in a disaster recovery\nmode. The Calendar Year 2007 exercise summary report cites completion of this item as one of\nthe main goals for the Calendar Year 2007 exercise; however, the goal was not accomplished\nbecause no one involved in the exercise ensured the prior year item was addressed.\nTest and review adequacy of plans \xe2\x80\x93 Completion due date as modified by management during\nour review: December 31, 2010 (completion was originally due September 30, 2008).\nBased on our review of offsite storage boxes and designated electronic file locations, the IRS is\nnot properly maintaining contingency planning and Disaster Recovery Plan documentation for\n\n14\n     Eighteen critical business processes and seven critical administrative or infrastructure processes.\n                                                                                                             Page 9\n\x0c                 Disaster Recovery Issues Have Not Been Effectively Resolved,\n                                 but Progress Is Being Made\n\n\n\nready availability in the event of a disaster. For example, we found Disaster Recovery Plan\ndocuments are not timely updated, standardized (e.g., there are Disaster Recovery Plans,\nInformation Technology Contingency Plans, and Technical Contingency Planning Documents),\nlocated in offsite storage or designated electronic file locations, complete, or accurate. However,\nmanagement stated a working group has been established to review the various document\ntemplates to improve Disaster Recovery Plan standardization.\nMaterial weakness area metrics \xe2\x80\x93 Completion due date as modified by management during our\nreview: June 30, 2011 (completion was originally due March 31, 2009).\nThe IRS is not currently collecting and reporting metrics to assess progress and track\nimprovements within the Disaster Recovery Program.\nThe deficiencies discussed continue because of (1) several changes in management,\n(2) management\xe2\x80\x99s determination that other issues were more important than disaster recovery\nissues, and (3) unapproved budget requests for resources and staff years needed to address\ndisaster recovery issues. In addition, the IRS did not fully comply with established disaster\nrecovery guidance in the Internal Revenue Manual incorporated from Office of Management and\nBudget, National Institute of Standards and Technology, and FISMA guidelines.\nBy not correcting previously reported deficiencies and having formal guidance in place to govern\nthe disaster recovery process, the IRS may be unable to timely and successfully recover the\nsystems and operations in a disaster. The IRS also may not ensure minimal disruption to tax\ncollection of approximately $2.7 trillion in revenue for the Federal Government and processing\nof more than 228 million tax returns. Due to the continued program deficiencies, the Disaster\nRecovery Program material weaknesses should not be downgraded to a significant deficiency.\nWe are making no recommendations for in-process areas such as the completion of the gap\nanalysis of the current Modernization and Information Technology Services organization\nbusiness resumption capabilities against business unit requirements and the development of\nmetrics.\n\nRecommendations\nThe Chief Information Officer should ensure:\nRecommendation 1: All Disaster Recovery Plan documentation is standardized, complete,\naccurate, readily accessible in the event of disaster (e.g., from offsite storage and designated\nelectronic file library locations), detailed enough to be used verbatim to react to a worst-case\nscenario, and reviewed quarterly.\n       Management\xe2\x80\x99s Response: IRS management agreed with this recommendation and\n       plans to evaluate and revise all existing Disaster Recovery Plan documentation and\n       templates used to perform and coordinate disaster recovery-related activities; ensure all\n\n                                                                                           Page 10\n\x0c                Disaster Recovery Issues Have Not Been Effectively Resolved,\n                                but Progress Is Being Made\n\n\n\n       Plan documentation is standardized, accurate, comprehensive, appropriately detailed,\n       up-to-date, and written in a clear, cohesive format; ensure Plan documentation includes\n       all relevant Federal Government guidance and all other critical information needed to\n       perform disaster recovery-related activities; perform a comprehensive inventory analysis\n       audit to ensure the accessibility and availability of all Plan documentation and that the\n       appropriate offsite storage and retrieval procedures are in place; and research a web-\n       based centralized repository tool for maintaining disaster recovery documentation in a\n       secure and readily accessible manner.\nRecommendation 2: Effective completion of tasks as required in disaster recovery guidance\nincorporated in the Internal Revenue Manual from the Office of Management and Budget,\nNational Institute of Standards and Technology, and the FISMA.\n       Management\xe2\x80\x99s Response: IRS management agreed with this recommendation and\n       plans to develop a comprehensive Disaster Recovery Internal Revenue Manual and\n       ensure all program-related documentation adheres to and complies with all relevant\n       Federal Government guidance. In addition, management will ensure effective completion\n       of tasks as required in Internal Revenue Manual disaster recovery guidance through the\n       embedded Compliance function within the Cybersecurity organization\xe2\x80\x99s Disaster\n       Recovery organization. Management will also provide status reports on each of the\n       disaster recovery recommendations through bi-monthly meetings with the Deputy\n       Commissioner for Operations Support.\nRecommendation 3: Offsite storage vendors can timely deliver all disaster recovery backup\nfiles and documentation to the disaster recovery site using announced, unannounced, and\nannually planned tests.\n       Management\xe2\x80\x99s Response: IRS management agreed with this recommendation and\n       plans to implement a documented repeatable process during the 2007-2008 annual\n       FISMA reporting period that includes an Information Technology Contingency\n       Plan/Disaster Recovery Test Guide and Checklist. Management also plans to direct test\n       participants to provide evidence of the recovery backup files\xe2\x80\x99 delivery and actual time\n       frame for delivery. Business/System owners will update the Checklist with the results of\n       the exercises and enter findings into the application/General Support Systems Plans of\n       Action and Milestones. The completed Checklist will validate completion of the\n       Tabletop Exercise and Functional Test and document findings. It will then be loaded into\n       Trusted Agent FISMA as the artifact verifying the results of the exercise/test.\nRecommendation 4: Appropriate disaster recovery site personnel are identified and provided\nwith annual training to ensure they have the ability to implement the Disaster Recovery Plan in\nthe event production site personnel are not available during a disaster.\n       Management\xe2\x80\x99s Response: IRS management agreed with this recommendation and\n       plans to develop a comprehensive disaster recovery specific training curriculum; develop\n\n                                                                                         Page 11\n\x0c                Disaster Recovery Issues Have Not Been Effectively Resolved,\n                                but Progress Is Being Made\n\n\n\n       a specialized training course to address specific training requirements in various disaster\n       recovery disciplines such as testing, plan development, business impact assessment, and\n       compliance, and train all individuals who have disaster recovery responsibilities; initiate\n       a site-to-site cross-training skill set evaluation and training program to ensure critical skill\n       sets reside in a specific location, responsible individuals receive training, and skill sets\n       are replicated in other locations; and develop a database as training is completed to\n       provide an assessment report to management for use in evaluating training progress,\n       qualified personnel, and skill set risks.\nRecommendation 5: Disaster recovery exercise lessons learned or action items deemed as\ncritical are included in subsequent exercises.\n       Management\xe2\x80\x99s Response: IRS management agreed with this recommendation and\n       plans to develop a repeatable process to ensure subsequent exercises include lessons\n       learned or action items deemed as critical. As all Information Technology Contingency\n       Plans and Disaster Recovery Plans are exercised and tested, test participants will follow a\n       formal Checklist to ensure documentation of system/organizational changes or problems\n       encountered during plan implementation, execution, or testing. If more critical problems\n       are found, Summary Findings will note where corrective actions and findings are\n       documented for viewing and analysis by the Designated Approving Authority.\n       Management also plans to develop a process for entering these findings in the\n       application/General Support Systems Plans of Action and Milestones for monitoring and\n       tracking, and require the Designated Approving Authority to sign the Checklist validating\n       that the Tabletop Exercise and Functional Test have been completed and findings\n       documented.\nRecommendation 6: A permanent file is established for keeping documentation supporting\nclosure of prior recommended corrective actions and completion of material weakness corrective\naction plan components related to the Information Technology Contingency Planning material\nweakness.\n       Management\xe2\x80\x99s Response: IRS management agreed with this recommendation and\n       established the Modernization and Information Technology Services organization\xe2\x80\x99s\n       Information Technology Disaster Recovery organization. The responsibilities of this\n       program office include validating all closure activities for corrective actions and\n       collecting and maintaining all documentation that supports closure and/or mitigation of\n       all corrective actions, material weaknesses, and any outstanding year-to-year weaknesses\n       remediation recommendations. Management also established a process using project\n       management schedules, work breakdown structures, and cross-organizational\n       correspondence that enables this office to provide management with a more effective\n       assessment of material weakness remediation progress for disaster recovery.\n\n\n\n                                                                                              Page 12\n\x0c                       Disaster Recovery Issues Have Not Been Effectively Resolved,\n                                       but Progress Is Being Made\n\n\n\n                                                                                                          Appendix I\n\n            Detailed Objective, Scope, and Methodology\n\nThe overall objective of this review was to determine the effectiveness of the corrective actions\ntaken to resolve the previously reported disaster recovery material weaknesses.1 To accomplish\nour objective, we:\nI.         Determined whether the disaster recovery issues in the Computer Security Material\n           Weakness Plan, IRS-2A-01-01, Material Weakness Area 1-6, Information Technology\n           Contingency Planning Section have been effectively resolved.\n           A. Reviewed Treasury Directives, Office of Management and Budget Circulars, the\n              Internal Revenue Manual, industry best practices, and other guidelines governing\n              disaster recovery.\n           B. Reviewed the Computer Security Material Weakness Plan, IRS-2A-01-01, Material\n              Weakness Area 1-6, Information Technology Contingency Planning Section and\n              evaluated the effectiveness of corrective actions for the five corrective action\n              components. We interviewed IRS personnel and obtained a list of 30 critical\n              information technology systems that support 25 critical processes.2 We selected a\n              judgmental sample of 8 of the 30 systems and obtained contingency plan\n              documentation to determine whether each of the 8 major systems had an Information\n              Technology Contingency Plan. The eight systems were selected for review based on\n              being identified as supporting four or more of the critical processes and not being\n              identified as tested during the disaster recovery exercise conducted in July 2007. We\n              also reviewed management\xe2\x80\x99s efforts to establish the IRS\xe2\x80\x99 recovery capability in part\n              via completion of a gap analysis that encompassed defining Recovery Time\n              Objectives. We also determined the effectiveness of the disaster recovery planning\n              test and exercise development activities by interviewing IRS personnel, reviewing\n              applicable requirements, and identifying the degree of testing and participant\n              involvement. We reviewed contingency plan documents in offsite storage boxes\n              and/or at the disaster recovery test locations. Finally, we interviewed IRS personnel\n              to determine whether any material weakness area metrics had been established and/or\n              were being used.\n           C. Obtained a walkthrough of the ECCs to verify the disaster recovery process.\n\n\n\n1\n    See Appendix V for a Glossary of Terms.\n2\n    Eighteen critical business processes and seven critical administrative or infrastructure processes.\n                                                                                                              Page 13\n\x0c                    Disaster Recovery Issues Have Not Been Effectively Resolved,\n                                    but Progress Is Being Made\n\n\n\n        D. Determined whether Disaster Recovery Plans for the ECCs have been adequately\n           tested and deficiencies identified from the disaster recovery tests have been\n           adequately addressed. We reviewed the policies and procedures for conducting and\n           evaluating tests, reviewed the Calendar Years 2006 and 2007 test plans, and requested\n           documentation supporting disaster recovery-related training conducted prior to tests.\n           We also observed the three ECC tests and reviewed the test results at the conclusion\n           of the tests to determine the extent identified deficiencies (e.g., from the prior year)\n           were addressed.\nII.     Determined whether the corrective actions identified by management to address prior\n        audit recommendations in the Disaster Recovery Program3 have been effectively\n        implemented.\n        A. Reviewed the Joint Audit Management Enterprise System reports for the 35 open\n           corrective actions (as of March 16, 2005) from prior Treasury Inspector General for\n           Tax Administration audit reports to determine actions completed and the current due\n           date for open corrective actions.\n        B. Determined whether the corrective actions implemented were the agreed-upon\n           corrective actions (e.g., regarding personnel, training, and testing) and effectively\n           resolved the disaster recovery vulnerabilities. We interviewed IRS personnel and\n           requested documentation supporting the corrective actions the IRS reported as closed\n           in the Joint Audit Management Enterprise System reports. We also assessed whether\n           the corrective actions reported as completed established a repeatable process and\n           considered the effectiveness of any alternative corrective actions taken in lieu of the\n           agreed-upon corrective actions and/or the need for additional corrective actions.\n           Finally, we discussed with management the justification for extending the completion\n           date for the open corrective actions.\nIII.    Used computer-based data for background information related to 30 applications the IRS\n        identified as supporting its 25 critical processes. We did not determine the validity and\n        reliability of the data based on the scope of audit work performed. However, we did\n        verify that these 30 major applications were included as a part of the IRS\xe2\x80\x99 As-Built\n        Architecture.\n\n\n\n\n3\n The Disaster Recovery Program serves to facilitate cross-organizational buy-in, participation, concurrence, and\ncommunication of all IRS disaster recovery activities.\n                                                                                                          Page 14\n\x0c                Disaster Recovery Issues Have Not Been Effectively Resolved,\n                                but Progress Is Being Made\n\n\n\n                                                                              Appendix II\n\n                 Major Contributors to This Report\n\nMargaret E. Begg, Assistant Inspector General for Audit (Information Systems Programs)\nGary Hinkle, Director\nScott Macfarlane, Director\nDanny Verneuille, Audit Manager\nMark Carder, Senior Auditor\nOlivia DeBerry, Auditor\nCharlene Elliston, Auditor\nLinda Screws, Auditor\n\n\n\n\n                                                                                     Page 15\n\x0c               Disaster Recovery Issues Have Not Been Effectively Resolved,\n                               but Progress Is Being Made\n\n\n\n                                                                       Appendix III\n\n                         Report Distribution List\n\nActing Commissioner C\nOffice of the Commissioner \xe2\x80\x93 Attn: Acting Chief of Staff C\nDeputy Commissioner for Operations Support OS\nAssociate Chief Information Officer, Cybersecurity OS:CIO:C\nAssociate Chief Information Officer, Enterprise Operations OS:CIO:EO\nDirector, Disaster Recovery Operations OS:CIO:C\nDirector, Stakeholder Management OS:CIO:SM\nChief Counsel CC\nNational Taxpayer Advocate TA\nDirector, Office of Legislative Affairs CL:LA\nDirector, Office of Program Evaluation and Risk Analysis RAS:O\nOffice of Internal Control OS:CFO:CPIC:IC\nAudit Liaisons:\n       Associate Chief Information Officer, Cybersecurity OS:CIO:C\n       Director, Program Oversight Office OS:CIO:SM:PO\n\n\n\n\n                                                                             Page 16\n\x0c                Disaster Recovery Issues Have Not Been Effectively Resolved,\n                                but Progress Is Being Made\n\n\n\n                                                                              Appendix IV\n\n     Prior Audit Reports Addressing Disaster Recovery\n\n1.    The Internal Revenue Service Has Made Substantial Progress in Its Business Continuity\n      Program, but Continued Efforts Are Needed (Reference Number 2003-20-026, dated\n      December 2002).\n2.    Progress Has Been Made in Protecting Critical Assets (Reference Number 2003-20-047,\n      dated February 2003).\n3.    Improvements Are Needed to Effectively Implement the Disaster Recovery Strategy for\n      Consolidated Mid-Range Computer Systems (Reference Number 2003-20-084, dated\n      April 2003).\n4.    The Implementation of Software Products to Manage and Control Computer Resources\n      Needs Improvement (Reference Number 2003-20-151, dated July 2003).\n5.    Risks Are Mounting as the Integrated Financial System Project Team Strives to Meet an\n      Aggressive Implementation Date (Reference Number 2004-20-001, dated October 2003).\n6.    The Master File Disaster Recovery Exercise Was Completed, but Significant\n      Vulnerabilities Should Be Addressed (Reference Number 2004-20-053, dated March 2004).\n7.    The Custodial Accounting Project Team Is Making Progress; However, Further Actions\n      Should Be Taken to Increase the Likelihood of a Successful Implementation (Reference\n      Number 2004-20-061, dated March 2004).\n8.    Additional Disaster Recovery Planning, Testing, and Training Are Needed for Data\n      Communications (Reference Number 2004-20-079, dated April 2004).\n9.    Mainframe Computer Disaster Recovery Risks Are Increased Due to Insufficient Computer\n      Capacity and Testing (Reference Number 2004-20-142, dated August 2004).\n10. The Integrated Financial System Project Team Needs to Resolve Transition Planning and\n    Testing Issues to Increase the Chances of a Successful Deployment (Reference\n    Number 2004-20-147, dated August 2004).\n11. To Ensure the Customer Account Data Engine\xe2\x80\x99s Success, Prescribed Management\n    Practices Need to Be Followed (Reference Number 2005-20-005, dated November 2004).\n12. The Disaster Recovery Program Has Improved, but It Should Be Reported As a Material\n    Weakness Due to Limited Resources and Control Weaknesses (Reference\n    Number 2005-20-024, dated March 2005).\n\n\n\n                                                                                         Page 17\n\x0c                Disaster Recovery Issues Have Not Been Effectively Resolved,\n                                but Progress Is Being Made\n\n\n\n                                                                               Appendix V\n\n                                Glossary of Terms\n\n               Term                                         Definition\nAs-Built Architecture              Presents an enterprise view of the IRS Information\n                                   Technology and Business environments and documents\n                                   the Current Production Environment (applications, data\n                                   stores, infrastructure, data interfaces) and related\n                                   organizations, locations, technology platforms, etc.\nBusiness Continuity Plan           Defines recovery responsibilities and resources necessary\n                                   to respond to a disruption to business operations.\nBusiness Recovery Plan             Outlines procedures to be used for the resumption of\n                                   business after a disaster, specifically telling personnel, in\n                                   detail, what has to be done to resume business in the event\n                                   of a disaster or unplanned work stoppage (e.g., shipping\n                                   work to a backup center if necessary).\nBusiness Resumption Strategy       A strategy to resume normal business activities in the\n                                   event of an emergency or interruption of daily business.\nCampus                             The data processing arm of the IRS. The campuses\n                                   process paper and electronic submissions, correct errors,\n                                   and forward data to the Computing Centers for analysis\n                                   and posting to taxpayer accounts.\nComputing Centers                  Sites that support tax processing and information\n                                   management through a data processing and\n                                   telecommunications infrastructure.\nContinuity of Operations Plan      A predetermined set of instructions or procedures that\n                                   describe how an organization\xe2\x80\x99s essential functions will be\n                                   sustained for up to 30 days as a result of a disaster event\n                                   before returning to normal operations.\n\n\n\n\n                                                                                        Page 18\n\x0c                Disaster Recovery Issues Have Not Been Effectively Resolved,\n                                but Progress Is Being Made\n\n\n\n               Term                                          Definition\nCritical Processes                  The most important IRS processes from which\n                                    agencywide resource decisions will be made. There are\n                                    25 critical processes made up of 18 critical business\n                                    processes (e.g., remittance processing, tax return\n                                    processing, refund processing) and 7 administrative or\n                                    infrastructure critical processes (e.g., provide a safe and\n                                    equipped working environment, provide payroll).\nDesktop Disaster Recovery Test      A desktop simulation exercise conducted for major\n                                    systems that cannot conduct a live test annually but that\n                                    still involve necessary participants and for which results\n                                    are captured in a memorandum for the record.\nDisaster Recovery Plan              A written plan for processing critical applications in the\n                                    event of a major hardware or software failure or\n                                    destruction of facilities.\nDisaster Recovery Strategy          A strategy to ensure the IRS\xe2\x80\x99 ability to recover operations\n                                    within stated business recovery time and point objectives.\nEnd-to-End Disaster Recovery Test   A full-scale live test of the disaster recovery capability\n                                    with the actual systems, network, personnel, and\n                                    procedures under actual operational conditions.\nGeneral Support Systems             Sets of resources that provide necessary information\n                                    technology infrastructure support to applications and\n                                    business functionality such that compromise would have a\n                                    severe adverse effect on the IRS mission, tax\n                                    administration functions, and/or employee welfare.\nIncident Response Plan              The documentation of a predetermined set of instructions\n                                    or procedures to detect, respond to, and limit\n                                    consequences of malicious cyber attacks against an\n                                    organization\xe2\x80\x99s information technology system(s).\nInformation Technology              A plan developed to document procedures established to\nContingency Plan                    recover information technology systems (general support\n                                    systems or applications), operations, and data after a\n                                    disruption.\n\n\n\n\n                                                                                          Page 19\n\x0c                Disaster Recovery Issues Have Not Been Effectively Resolved,\n                                but Progress Is Being Made\n\n\n\n               Term                                         Definition\nJoint Audit Management Enterprise   The Department of the Treasury\xe2\x80\x99s audit tracking and\nSystem                              management control system that went live in January 2003\n                                    and replaced the IRS\xe2\x80\x99 Inventory Tracking Closure System\n                                    as the system of record.\nMaster File                         The IRS database that stores various types of taxpayer\n                                    account information. This database includes individual,\n                                    business, and employee plans and exempt organizations\n                                    data.\nMaterial Weaknesses                 Internal accounting and administrative control deficiencies\n                                    in operations or systems that, among other things, severely\n                                    impair or threaten the organization\xe2\x80\x99s ability to accomplish\n                                    its mission or to prepare timely, accurate financial\n                                    statements or reports.\nOperating System                    Software that directs a computer\xe2\x80\x99s operations, controlling\n                                    and scheduling the execution of other programs, and\n                                    managing storage, input/output, and communication\n                                    resources.\nPlans of Action and Milestones      A management process that outlines security weaknesses\n                                    pertaining to a specific system and the steps that need to\n                                    be taken to remediate them. It details resources required\n                                    to accomplish the milestones in meeting the task, and\n                                    scheduled completion dates for the mitigation.\nRecovery Point Objective            The point in time to which systems and data must be\n                                    restored after an outage (e.g., end of previous day\xe2\x80\x99s\n                                    processing) to resume processing transactions.\nRecovery Time Objective             The period of time within which data and system and\n                                    application functionality must be restored after an outage\n                                    (e.g., 1 business day) to resume processing transactions.\nTechnical Contingency Planning      Document developed to contain the recovery strategies,\nDocument                            essential resources, plans, and procedures necessary to\n                                    allow someone at a disaster site to implement the recovery\n                                    of the system in the event there is not a site disaster\n                                    recovery analyst or Disaster Recovery Plan available.\nTerritory                           An office that serves taxpayers within a specified\n                                    geographical area.\n\n                                                                                         Page 20\n\x0c    Disaster Recovery Issues Have Not Been Effectively Resolved,\n                    but Progress Is Being Made\n\n\n\n                                                    Appendix VI\n\nManagement\xe2\x80\x99s Response to the Draft Report\n\n\n\n\n                                                           Page 21\n\x0cDisaster Recovery Issues Have Not Been Effectively Resolved,\n                but Progress Is Being Made\n\n\n\n\n                                                       Page 22\n\x0cDisaster Recovery Issues Have Not Been Effectively Resolved,\n                but Progress Is Being Made\n\n\n\n\n                                                       Page 23\n\x0cDisaster Recovery Issues Have Not Been Effectively Resolved,\n                but Progress Is Being Made\n\n\n\n\n                                                       Page 24\n\x0cDisaster Recovery Issues Have Not Been Effectively Resolved,\n                but Progress Is Being Made\n\n\n\n\n                                                       Page 25\n\x0cDisaster Recovery Issues Have Not Been Effectively Resolved,\n                but Progress Is Being Made\n\n\n\n\n                                                       Page 26\n\x0c'